[Samba] pam_winbind, ssh and cross-forest membership...
Marco Gaiarin
gaio at lilliput.linux.it
Tue Jan 11 13:38:07 UTC 2022
Mandi! Rowland Penny via samba
In chel di` si favelave...
> Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?
Sure!
>> id a
> Problem is, you should be using 'id DOMAIN\\a' , where 'DOMAIN' is the
> workgroup of user 'a'.
Forgot to say: 'winbind use default domain = Yes'.
>> There's some way to force it? Thanks.
> It will undoubtedly help if you post your smb.conf file.
Oh, sorry rowland, true.
[global]
kerberos method = secrets and keytab
realm = DOM.IT
security = ADS
template shell = /bin/bash
winbind expand groups = 5
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = DOM
idmap config * : range = 1000 - 9999
idmap config SUBD : backend = rid
idmap config SUBD : range = 700000 - 749999
idmap config SUBC : backend = rid
idmap config SUBC : range = 500000 - 549999
idmap config SUBB : backend = rid
idmap config SUBB : range = 300000 - 349999
idmap config SUBA : backend = rid
idmap config SUBA : range = 10000 - 99999
idmap config DOM : backend = rid
idmap config DOM : range = 2000000-2999999
idmap config * : backend = tdb
following 'alex' hint i've added 'winbind expand groups = 5'; in this way
effectively an 'getent group groupa' return all the membership, also in
other domain (eg, return 'SUBA\\usera') but still a simple 'id SUBA\\usera'
does not return 'groupa' (or 'DOM\\groupa') as membership.
--
Mio figlio Christian diceva che la morte doveva essere qualcosa di
bello, visto che nessuno ritornava. (Yolande Mukagasana)
More information about the samba
mailing list